It is unclear whether Instagram will include information about a user’s advertising profiling.
Photograph: Kirill Kudryavtsev/AFP/Getty Images

Instagram has confirmed it will let users download their personal data, including previously shared photos, videos and messages, as it prepares for the European data regulation GDPR.

While its parent company, Facebook, had announced a suite of GDPR controls, which Mark Zuckerberg emphasised during his testimony to Congress this week, Instagram had been quiet on the issue.

GDPR (General Data Protection Regulation) brings with it a number of rights for individuals, including to demand deletion of data, to opt out of future data collection, and to view the personal data a company possesses and to download it in a format that can be moved over to competitors.

These were the requirements Instagram would fulfil shortly, the company confirmed to TechCrunch. “We are building a new data portability tool,” a spokesperson said. “You’ll soon be able to download a copy of what you’ve shared on Instagram, including your photos, videos and messages.”

The tool will be helpful for users who want to extract what they have uploaded to Instagram. Treasured photos and videos can sometimes get lost in their original form, but currently there are few ways to easily access the high-resolution originals if they have been posted on the social network.

It is unclear whether the company will also include details of a user’s advertising profiling in its data download. The wealth of information included in Facebook’s equivalent service shocked some users, who were unhappy to discover that the company had tracked metadata of their text and phone conversations.

GDPR comes into effect on 25 May, which means the coming month will probably include a flurry of announcements similar to Instagram’s. Many large tech companies, including Google, have yet to confirm whether they are altering their products to comply with the regulation.

A number of data breaches may also be made public next month as companies race to beat the GDPR deadline. When the regulation comes into effect, the maximum penalty for a breach multiplies vastly from £600,000 to €20m (£17m), or 4% of global turnover.

According to EUObserver, the European commission intends to police that deadline according to the date of disclosure, not the date of the underlying breach. This means any company that has been withholding knowledge of a successful hack will need to disclose that fact sooner rather than later, or risk a hefty penalty.